Some software (like VBulletin) allows you to protect admin accounts in your configuration files so that their passwords cannot be changed. Once you have changed the passwords see if you can lock any of these accounts.

You also want to scan your databases for any new admin-level accounts that you don't recognize. I just ran into another one on someone else's site last night.

They can only overwrite your files if they are getting in through an account that has overwrite permissions. If you're using Wordpress, for example, that CAN (usually) change the .htaccess file.

If you're leasing a Linux server see if you can implement TCP Wrappers to restrict who can login via FTP and Telnet. You do that by denying all services to all IP addresses and then explicitly allowing all services only for your own IP addresses.

If you have the ability to create a firewall you'll want to scan your Web server logs to see which IP addresses are hammering your server repeatedly (they ask for the same URLs over and over again). You can use a tool like Hurricane Internet's BGP Toolkit to look up the ASN records for IP addresses and block those.

An IP address that looks like aaa.bbb.ccc.ddd may have an ASN record that looks like aaa.bbb.ccc.000/24. The "/24" says the first 24 bits are the same for every IP address in the range. Each section in an IPv4 address uses 8 bits (for a total of 32 bits).

You'll usually see who has been assigned the ASN record. If the traffic is coming from a Web hosting service or a country where you don't expect to do business, then you can safely block all those IP addresses.

If you don't have a firewall you'll have to use your .htaccess file. Control panels for Web hosting accounts often have a "Deny IP Manager" tool where you can add the IP addresses and/or ASN records.